Advanced SQL Injection

Presented at DEF CON 17 (2009), Aug. 2, 2009, 10 a.m. (50 minutes)

SQL Injection is a vulnerability that is often missed by web application security scanners, and it's a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited. Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible. The key areas are: IDS Evasion, Web Application Firewall Bypass Privilege Escalation Re-Enabling stored procedures Obtaining an interactive command-shell Data Exfiltration via DNS

Presenters:

• Joseph McCray - Founder of Learn Security Online
  Joseph McCray has 8 years of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, training, and regulatory compliance. Joe is a frequent presenter at security conferences, and has taught the CISSP, CEH, CHFI, and Web Application Security at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), and several other technical training centers across the country.

Links:

• https://defcon.org/html/defcon-17/dc-17-speakers.html#McCray
• https://infocon.org/cons/DEF CON/DEF CON 17/DEF CON 17 video and slides/DEF CON 17 - Joseph McCray - Advanced SQL Injection - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=-AkUutmXwUI

Similar Presentations:

• DerbyCon 2.0 Reunion (2012) / SQL Injection 101
• DEF CON 10 (2002) / SQL Injection
• DEF CON 20 (2012) / SQL ReInjector - Automated Exfiltrated Data Identification